8/15/2005

Zotob worm spreading

Hackers have created two worms that exploit recently published flaws in Microsoft software, less than a week after the Redmond giant released its latest regular monthly batch of patches.
Security testers warned on Friday that exploit code for the flaw in Microsoft's Plug and Play software had appeared on hacking web sites and a newly created family of worms, dubbed Zotob, is spreading across networks in a similar fashion to the Sasser worm. However experts are telling computer users not to panic.
"Zotob is not going to become another Sasser," said Mikko Hyppönen, director of antivirus research at F-Secure.
"First of all, it will not infect Windows XP SP2 machines. It also won't infect machines that have 445/TCP blocked at the firewall. As a result, the majority of Windows boxes on the net won't be hit by it."
Nevertheless, Hyppönen warns that there are certain similarities between Zotob and Sasser. Both were based on exploit code devised and distributed by the 'houseofdabus' hacking group.
Zotob A and B spread without the need for any user interaction, predominantly via unpatched PCs on a computer network. It scans for machines via Port 445 and, once it finds a vulnerable PC, it downloads the main virus file via FTP.
Once installed, the code allows remote control of the infected system. The virus authors also left a message for the antivirus community embedded in the code.
"MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!"
In addition, the virus blocks access to security web sites, as well as those operated by eBay, Amazon or PayPal.